DMZ on pfSense VM
I'm pretty new to the world of pfSense and was wondering if you could help me. I've been looking at this guide: http://www.redpacketsecurity.com/setting-up-a-dmz-on-esxi-5-5-with-pfsense-ready-for-a-honeypot/
This is pretty much want I want to set up but i'm wondering if I need to purchase an additional NIC. My set up currently consists of a BTHomehub acting as the gateway, dhcp server etc and I have a raspberry pi connected and a server with one NIC.
The server is currently hosting a few VM's that I want to put in a DMZ so they can't contact the other machines on the LAN for security purposes.
I tried creating a WAN vswitch, a LAN vswitch and a DMZ vswitch with no adaptor as the guide suggests but am I in need of another NIC? :-\
Please let me know if you have any suggestions :)
you do not need another nic to create a vswitch to connect VMs too.. The only time you need a physical nic is when you want to connect a vswitch to physical world.
Just give pfsense a new vnic, connect to your dmz vswitch, then connect what other vms you want to that same dmz vswitch… There you go "dmz" you have pfsense between these devices and your other networks be they only on your esxi host or physical networks and or the internet.
You just need to lock down the rules on pfsense so this dmz network you create does not have access to anything but the internet. Here is example rules I have for my dmz.
So I allow devices in my dmz segment to ping pfsense both ipv4 and ipv6. I allow it to ask pfsense for dns both ipv4 and v6. I then reject any other connection to any other IP pfsense might have. This includes any other local side IPs or any wan IP.
I then allow dmz clients to go anywhere they want as long as the networks are not rfc1918 or any of my local ipv6 networks. I have a /48 so I have multiple /64 ipv6 network segments. You could get more restrictive if you wanted to, so for example I hand out dhcp to this segment, and I allow to use pfsense for dns and ping dns. But you don't have to allow that if you don't want to.
So second attached you will see I have couple of vms attached to my dmz vswitch, see pfsense is attached (pf22) while on the lan pfsense is is attached there with many more vms and is attached to physical nic that is attached to my physical network.
Hope that helps.
Hi thanks for your helpful response, good to know that I won't need an additional NIC. The problem I can see however is that I have a BThomehub as my gateway but from what I've seen online is that I can't set this up as bridged and so have to buy an additional modem as the bthomehub won't allow this. I've been able to set up pfsense so i can administrate it by its lan interface but I've never had a working lan connection/ppoe. Your help will be useful later on I think once I've sorted this internet connection predicament.
I figured maybe I could get a supported openreach ADSL modem and connect the bthomehub as an access point and dumb switch. From here i'd maybe able to connect to PPOE and have a working wan, lan and dmz. Does any of this make sense?
If anyone has set up a bthomehub with pfSense please let me know
what does it matter.. You can have both rfc1918 on your pfsense wan and lan - that is just a double nat is all.
So what network is your current network behind your isp device?
Lets say its 192.168.1.0/24 – you just need to make the pfsense lan something other than that say 192.168.2.0/24
Plug pfsense wan into your isp device just like any other device you would put on your network. Or if on a esxi host, this would be your wan vswitch physical interface. Then you would put your vmkern port group and normal lan vswitch on this 192.168.2.0/24 network connected into the network your pfsense lan is on.
So are you saying I don't have to have the pfsense as a router and can just use it for my dmz? that would be fantastic.
I've got a 192.168.1.254 bt homehub as gateway, I will make a 192.168.2.0 LAN for the VM's and point my WAN towards the gateway of 192.168.1.254? Sorry i'm clueless!
I'm feeling hopeful now, i was convinced I was going to have to buy a modem to connect to the bthomehub so I could have my pfsense as a router but this is a much cleaner setup. I will post my virtual network setup shortly, thank you so much.
No you can still use it as your router for your whole network, which is what I would suggest you do..
But sure if you want to just use pfsense for your esxi vms firewall sure you could do that..
So your current isp device, nats the public internet for you and gives you 192.168.1.0/24 network with is IP being 192.168.1.254.. Great… So connect pfsense to that device, let its wan be dhcp.. It will now get an IP on 192.168.1.0/24 with its gateway pointing to 192.168.1.254
Plug the rest of your network into pfsense lan which you make 192.168.2.0/24 -- there you go problem solved. Do you need a drawing??
Nah that makes perfect sense ! i'm just new to this whole vmware virtual networking sort of thing, confuses me!
Thanks again, I shall crack on and get it sorted.
For the 192.168.2.0 network, will its gateway be the firewall and that could be a static ip in that same subnet? 192.168.2.1 for instance
i've got the pfsense as 192.168.1.175 management and can control it.
!(http://[url]<br />[img]http://i1024.photobucket.com/albums/y308/Jack_JM/net1_zpsn6g6i6xq.jpg[/img]<br />[img]http://[url]<br />[img]http://i1024.photobucket.com/albums/y308/Jack_JM/net2_zpspq7bpaus.jpg[/img]<br />That's my current set up that I have which i'm in the process of changing, what should I set the vmkernel's gateway to be for the 192.168.2.0 network? <br /><br />Thanks, <br />Jack[/url][/img][/url])
Sorry not all the images copied properly,
Yes the gateway would be whatever you make pfsense IP in the 192.168.2.0/24 network.
VM networking is very simple on esxi… Just think as your vswitches as real switches and the network card you connect to them are just uplinks to your real switch..
So with pfsense on your esxi host you end up with something like attached. Blue stuff is virtual switches and nics, pfsense is VM as well.
While your vmkern could have a gateway - to be honest unless you want it to have internet access no real reason to point it to pfsense lan IP. If your just going to ba accessing it from something else on the 192.168.2.0/24 network be it virtual or physical. See attached my esxi host vswitches. While I do have my vmkern broke out on its own vswitch and its own physical nic uplink.. Its still on my lan network 192.168.9.0/24 in my case. So pfsense has 192.168.9.253 on lan which is gateway for anything on that network. While it has other networks as well for example the dmz is 192.168.3.253 -- see attached pfsense interfaces.
The only difference in your setup and mine is your behind a double nat, since you don't have a public IP on pfsense wan.. So more than likely you would want to make the pfsense wan IP the dmz host in your isp device. So that all ports get sent to pfsense wan. Or if you want to do any port forwarding you will have to do both on your isp device and pfsense.